-
Notifications
You must be signed in to change notification settings - Fork 49
tracemerge
tracemerge is a libtrace tool that will merge together two (or more) traces into a single trace file.
tracemerge
[ -i | --set-interface ]
[ -u | --unique-packets ]
[ -z level| --compress-level=level ]
[ -Z method | --compress-type=method ]
outputuri inputuri...
-i, --set-interface
Replace the direction/interface bit in the format header based on which input trace the packet comes from, e.g. direction is 0 for packets from the first input file, 1 for packets from the second file, etc.
-u, --unique-packets
Ignore duplicate packets with identical timestamps.
-z, --compress-level
Sets the amount of compression performed on the output file. This value can range from 0 (no compression) to 9. Higher compression levels require more CPU to compress data. Defaults to no compression.
-Z, --compress-type
Sets the compression algorithm to be used when writing the output trace. Possible methods are "gzip", "bzip2", "lzo", "xz" or "none". Defaults to "none".
Concatenating traces:
tracemerge erf:merged_trace.gz erf:small-1.gz erf:small-2.gz erf:small-3.gz
Merging two directions back into a single trace:
tracemerge -i erf:merged_trace.gz erf:outgoing.gz erf:incoming.gz
Note: most libtrace applications regard a direction of 0 as outgoing and a direction of 1 as incoming, so be sure to specify the input URIs in the correct order.
-
The output trace format does not have to match the input formats, e.g.
tracemerge pcapfile:merged_trace.pcap.gz erf:small-1.gz erf:small-2.gzwill work. There is also no requirement for the input traces to all be of the same format either. These properties hold true for all libtrace applications, although format header information can be lost converting from one format to another, e.g. pcap headers have no space to store the ERF rxerror variable.
-
As the name implies,
tracemergewill produce a trace where the packets are all in timestamp order.